Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

July 1, 2019

HHS Publishes HIPAA Guidance for Use of Health Apps

On April 18, 2019, the US Department of Health and Human Services (HHS) Office for Civil Rights issued five new FAQs addressing the applicability of HIPAA to the use of software apps that receive health information. This guidance was released in recognition of expanding e-health technology and the increased use of health apps by patients on mobile devices such as smartphones and watches.

The HHS clarified that, if a patient requests to receive their ePHI on a third-party health app that was not provided by or on behalf of the covered entity, the covered entity is not liable under HIPAA for any breach or impermissible disclosure. The individual’s right of access includes the right to request the covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. If a covered entity transmits ePHI––at the patient’s direction––to an app via an unsecure manner or channel, the covered entity is not responsible for unauthorized access during the transmission, although the entity may wish to counsel the patient about the risk of unauthorized access.

By contrast, if a health care app was developed for or provided by or on behalf of a covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, then a business-associate relationship exists between the covered entity and the app developer, and the covered entity could be liable for an impermissible disclosure of ePHI. If the covered entity contracts with the app developer and provides the app to its patients for remote management, monitoring, or other purposes, the covered entity is subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

The new FAQs are available here under the “Access Right, Apps, and APIs” heading. These new FAQs provide important HIPAA guidance for covered entities, EHR developers, and app developers. Patients are demanding greater data accessibility and convenience through wearables and health-tracking apps, and covered entities must be cognizant of HIPAA compliance when sharing health information via these new technologies.

If you have questions regarding the information presented in this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com or another member of the firm’s health care or health and human services providers teams.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out